CMake Support for SARIF Format Enhances Build System Diagnostic Reporting
As of 4.0, CMake can now record diagnostic output in the Static Analysis Results Interchange Format (SARIF), making it easier for static analysis result viewers like debuggers and IDEs to report build system issues reported by CMake with enhanced detail.
To generate a SARIF file for a CMake run, users can simply add the argument --sarif-output=<path> to a CMake command. To persistently generate SARIF for a project, users can set the CMake cache variable CMAKE_EXPORT_SARIF to ON, which will produce a SARIF file with diagnostics from the configure and generate steps in <build>/.cmake/sarif/cmake.sarif by default.
Currently, a SARIF file produced by CMake will contain the content, severity level, and site of origin for diagnostic messages produced by CMake. The SARIF format supports aggregating results from several tools and runs within one file, with CMake currently only handling its own diagnostic output.
Problem Reporting and the Motivation for SARIF
In a typical software engineering workflow, developers use tools that analyze source code and suggest changes or report potential problems. These tools include compilers, code quality scanners like clang-tidy, and build tools like CMake. Problems are usually reported with a location of origin, severity, and a description of the problem. Many static analysis tools report this information in a series of messages to the standard output streams for users to read on a terminal.
SARIF, however, offers a standardized, well-defined schema for reporting static analysis results, which enables third-party tools to integrate with other arbitrary static analysis tools as long as they produce a SARIF file.
For instance, IDEs often provide some level of integration with a selection of static analysis tools, aggregating results from across the workspace and visualizing them with annotated “squiggles” in the source code. Without a standardized reporting format, integrating a new tool with an IDE would require giving special attention to that tool, making rich integration more complex to implement, expensive to maintain, and prone to stability issues.
Viewing CMake Run Results from a SARIF File
The SARIF Viewer extension for Visual Studio Code can be used to visualize the results from a CMake SARIF log. The diagnostics reported by CMake are aggregated in the results pane, each linked to a location in the source code. This extension also highlights problematic source lines with color-coded underlines, often referred to as “squiggles.”
Limitations and Next Steps
At the moment, the detail in the SARIF log doesn’t offer VS Code users more information than what the CMake Tools extension derives from parsing CMake’s `stdout` and `stderr` streams directly, but in the future, we can enhance the level of diagnostic information CMake makes available to developers through SARIF. For instance, CMake’s SARIF logs do not currently include a stack trace even though this information is often available to CMake. For more updates on CMake 4.0, watch our webinar recording: CMake 4.0: What You Need to Know.
As we add more levels of detail to CMake’s warning/error logs, the adoption of this standardized format to exchange diagnostic information will allow tools in the ecosystem to integrate more quickly and easily with CMake’s reporting capabilities.